| 1 |
On Friday 19 Feb 2016 16:23:22 Daniel Quinn wrote: |
| 2 |
> The problem is that the names of the fields on iThings are different |
| 3 |
> from the fields I see in NetworkManager, so I don’t know what correlates |
| 4 |
> to what. |
| 5 |
> |
| 6 |
> I have just uninstalled libreswan and installed strongswan, but I can’t |
| 7 |
> find evidence of a networkmanager plugin for strongswan in Portage. |eix |
| 8 |
> stronswan| only returns one record: |net-misc/strongswan|, which is |
| 9 |
> installed. Can I use it without NetworkManager while using |
| 10 |
> NetworkManager for basic connectivity? |
| 11 |
|
| 12 |
I don't know for sure because I don't use NM. The strongswan plugin is called |
| 13 |
... "networkmanager" and you install this with the flag USE="networkmanager", |
| 14 |
which I assume is already set in your system. |
| 15 |
|
| 16 |
|
| 17 |
> Here’s the .mobileconfig file, with the juicy-bits redacted: |
| 18 |
> |<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC |
| 19 |
> |
| 20 |
> "-//Apple//DTD PLIST 1.0//EN" |
| 21 |
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <!-- Read more: |
| 22 |
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile |
| 23 |
> --> <plist version="1.0"> <dict> <!-- Set the name to whatever you like, |
| 24 |
> it is used in the profile list on the device --> |
| 25 |
> <key>PayloadDisplayName</key> <string>My IKEv2 VPN Profile</string> |
| 26 |
|
| 27 |
"My IKEv2 VPN Profile" |
| 28 |
|
| 29 |
is used as the name of these VPN settings. In strongswan's /etc/ipsec.conf |
| 30 |
you would set it as: |
| 31 |
|
| 32 |
conn "My IKEv2 VPN Profile" |
| 33 |
|
| 34 |
|
| 35 |
> <!-- |
| 36 |
> This is a reverse-DNS style unique identifier used to detect duplicate |
| 37 |
> profiles --> <key>PayloadIdentifier</key> <string>REDACTED</string> |
| 38 |
|
| 39 |
This would be the domain name of the server, or relevant domain name which |
| 40 |
will be queried on a reverse-DNS resolution to match the remote IP address to |
| 41 |
domain name. Not sure if this is needed by strongswan. |
| 42 |
|
| 43 |
|
| 44 |
> <!-- |
| 45 |
> A globally unique identifier, use uuidgen on Linux/Mac OS X to generate |
| 46 |
> it --> <key>PayloadUUID</key> <string>REDACTED</string> |
| 47 |
> <key>PayloadType</key> <string>Configuration</string> |
| 48 |
> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> |
| 49 |
> <array> <!-- It is possible to add multiple VPN payloads with different |
| 50 |
> identifiers/UUIDs and names --> <dict> <!-- This is an extension of the |
| 51 |
> identifier given above --> <key>PayloadIdentifier</key> |
| 52 |
> <string>REDACTED</string> <!-- A globally unique identifier for this |
| 53 |
> payload --> <key>PayloadUUID</key> <string>REDACTED</string> |
| 54 |
> <key>PayloadType</key> <string>com.apple.vpn.managed</string> |
| 55 |
> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of |
| 56 |
> the VPN connection as seen in the VPN application later --> |
| 57 |
> <key>UserDefinedName</key> <string>My IKEv2 VPN</string> |
| 58 |
> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> |
| 59 |
|
| 60 |
This tells you that you should configure IKEv2 in strongswan/NM. IKEv2 is the |
| 61 |
default, or you can set: |
| 62 |
|
| 63 |
keyexchange=ike ##will initate a connection as IKEv2 but will accept both |
| 64 |
IKEv1 and IKEv2 as a response. If you only want IKEv2 use: |
| 65 |
|
| 66 |
keyexchange=ikev2 |
| 67 |
|
| 68 |
|
| 69 |
> <dict> <!-- |
| 70 |
> Hostname or IP address of the VPN server --> <key>RemoteAddress</key> |
| 71 |
> <string>REDACTED</string> |
| 72 |
|
| 73 |
The above is the IP address of the Ubuntu VPN gateway. In strongswan terms |
| 74 |
you would set it as: |
| 75 |
|
| 76 |
right=123.456.78.9 ##Replace the digits with the Ubuntu public IP address |
| 77 |
|
| 78 |
|
| 79 |
> <!-- Remote identity, can be a FQDN, a |
| 80 |
> userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be |
| 81 |
> empty. IMPORTANT: DNs are currently not handled correctly, they are |
| 82 |
> always sent as identities of type FQDN --> <key>RemoteIdentifier</key> |
| 83 |
> <string>REDACTED</string> |
| 84 |
|
| 85 |
FQDN used as the VPN gateway identifier. In strongswan: |
| 86 |
|
| 87 |
rightid=REDACTED ##use here the RemoteIdentifier above. |
| 88 |
|
| 89 |
|
| 90 |
> <!-- Local IKE identity, same restrictions as |
| 91 |
> above. If it is empty the client's IP address will be used --> |
| 92 |
> <key>LocalIdentifier</key> <string></string> <!-- OnDemand references: |
| 93 |
> http://www.v2ex.com/t/137653 |
| 94 |
|
| 95 |
If there is no LocalIdentifier provided in the .mobileconfig, then it will use |
| 96 |
the IP address of the client. Set it as: |
| 97 |
|
| 98 |
left=%defaultroute |
| 99 |
|
| 100 |
|
| 101 |
> https://developer.apple.com/library/mac/featuredarticles/iPhoneConfiguration |
| 102 |
> ProfileRef/Introduction/Introduction.html Continue reading: |
| 103 |
> https://github.com/iphoting/ovpnmcgen.rb --> |
| 104 |
> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> |
| 105 |
> <array> <dict> <key>Action</key> <string>Connect</string> </dict> |
| 106 |
> </array> <!-- The server is authenticated using a certificate --> |
| 107 |
> <key>AuthenticationMethod</key> <string>SharedSecret</string> |
| 108 |
> <key>SharedSecret</key> <string>REDACTED</string> |
| 109 |
|
| 110 |
authby=psk |
| 111 |
|
| 112 |
The value of the secret passphrase you will need to add in /etc/ipsec.secrets: |
| 113 |
|
| 114 |
<your_client_ID_goes_here> 123.456.78.9 : PSK "xY9LLZvwj4qCC2o/gGrWD" |
| 115 |
|
| 116 |
|
| 117 |
> <!-- Turn off EAP --> |
| 118 |
> <key>ExtendedAuthEnabled</key> <integer>0</integer> <!-- AuthName key is |
| 119 |
> required to dismiss the Enter Username screen on iOS 9, even if |
| 120 |
> ExtendedAuthEnabled is false --> <key>AuthName</key> <string></string> |
| 121 |
> <!-- AuthPassword key is required to dismiss the Enter Password screen |
| 122 |
> on iOS 9, even if ExtendedAuthEnabled is false --> |
| 123 |
> <key>AuthPassword</key> <string></string> </dict> </dict> </array> |
| 124 |
> </dict> </plist> | |
| 125 |
|
| 126 |
I can't tell from the above if the server has XAUTH configured. If it does |
| 127 |
then you need to add this in your /etc/ipsec.secrets file: |
| 128 |
|
| 129 |
Daniel : XAUTH "Daniel's account passwd" |
| 130 |
|
| 131 |
I also can't see above any ciphers set by the server, so I guess all that have |
| 132 |
been compiled in the client's OS kernel will be tried out in turn. |
| 133 |
|
| 134 |
The strongswan documentation and ipsec.conf man page has the rest you will |
| 135 |
need to configure your client. Keep an eye in the logs for errors so that you |
| 136 |
can find out what settings you should experiment with and if you got the |
| 137 |
syntax correct. |
| 138 |
|
| 139 |
-- |
| 140 |
Regards, |
| 141 |
Mick |
Archives